[Cryptography] Crypto best practices

[Jerry Leichter]

> Going by such a strict requirement, then of course - in order to completely prevent any leakage of which ranges of plaintext blocks that are identical across different encryptions under the same key+IV, then the change of any plaintext bit must also change the full ciphertext. (I believe that's also called an "all-or-nothing transform", where any change anywhere must modify all ciphertext bits, not just make a local change.) 
Are we talking about *theoretical* security or *practical* security?

If it's *theoretical* security, it seems silly to be concentrating on lapses that generate the same IV twice.  How about easily guessed keys?  Or many other practical lapses?

If it's *practical* security, combining the user's offered IV with the time, to as high a precision as you can get it, pretty much eliminates the *practical* issue of IV reuse.  (Note that you don't need a very sophisticated combiner, but XOR is likely a bad idea as some bright user may decide to himself use the high-precision time as a quick way to generate a "unique" IV.)

Of course none if this helps if you are using a mode that requires an *unpredictable* IV, not just a *unique* IV.
                                                        -- Jerry